1. Technical Field
The present invention relates to multilevel port attribute passing methods, apparatuses, and computer program products operable in computer systems, and more particularly, to multilevel port attribute passing systems operable in operating systems utilizing multilevel multiple security levels in which security attributes are passed in a stream.
2. Background
Secure computer systems restrict information from unauthorized disclosure. Government secrecy systems ensure that users access only permitted information in accordance with predetermined security clearances. Other secure environments protect selected private information including payroll data and other sensitive company data including internal memoranda and competitive strategy documents.
To establish computer security for government or company systems, a security policy is adopted. The security policy establishes rules for managing, protecting and distributing sensitive information. A security policy is typically stated in terms of subject and objects. Subjects are active within a selected system and include users, processes, and programs, for example. Objects are the recipients of subject action, such as files, directories, devices, sockets, and windows. A security policy may set rules to determine whether a subject user has access to a particular object such as a file.
One well-known security system developed by David Bell and Leonard LaPadula in 1973 describes a multilevel secure computer system having access rules depending upon the security clearances of messaging processes. Security systems based upon access rules rely upon reference monitors which enforce authorized access relationships between subjects and objects of a system. A security kernel concept developed by Roger Shell in 1972 implements the reference monitor notion that all system activity is supervised in accordance with the system's security policy. The kernel accordingly mediates. A "trusted system" has sufficient hardware and software integrity to allow its use to simultaneously process a range of sensitive unclassified or classified information for a diverse set of users without violating access privileges.
Networks require that the security mechanism of a trusted system be able to control communication with the trusted systems. Previously, a network administrator typically had tight control over system connections with other systems. However, with the proliferation of interconnected networks and easy remote access and resource sharing, systems often cannot identify or trust the entire network.
Strategies for establishing security in network environments require labeling data with predetermined security attributes or sensitivity labels, information labels. This enables recognition of data sensitivity at other systems of a network. Because different networks support different security policies, these labels are not necessarily in the same format. In certain secure networks, each system may have a different kind of label. A user sensitivity label specifies the sensitivity level, or level of trust, associated with that user. A file's sensitivity label similarly specifies the level of trust that a user must have to be able to access the particular file. Mandatory access controls use sensitivity labels to determine who can access what information in a system. Together, labeling and mandatory access control implement a multilevel security policy--a policy for handling multiple information classifications at a number of different security levels within a single computer system.
Under mandatory access control, every subject and object in a system supporting mandatory access controls has a sensitivity label associated with it. A sensitivity label generally includes a classification and a set of categories or compartments. The classification system is typically hierarchical, including in a military security model, for example, multiple distinct levels, such as top secret, secret, confidential and classified. In a company environment, other classifications may be followed including labels such as company confidential, or company private.
Typically, for a subject to read an object, the subject's sensitivity level must dominate the object's sensitivity level. A subject's sensitivity label dominates the object's sensitivity label if the subject's classification is equal to or exceeds the classification of the object. Similarly, in order to write an object, the object's sensitivity level must dominate the subject's sensitivity level. In order for a subject to write to an object, the subject's sensitivity level must be equal to or less than the sensitivity level of the object or file. Consequently, in a current mandatory access system, in order for a subject to freely read and write to and from an object, both the subject and the object must have the same classification label. This is the fundamental rule by which an access control system works, and by which two-way communication may take place between trusted computer systems.
In current networked multilevel trusted systems, third-party applications have only limited support for operating effectively. In particular, when multiple processes having different sensitivity labels attempt to access the same object or resource, despite differences in security level, the operation may block. In the prior art diagram of FIG. 1, an application runs on a trusted system and attempts to access a resource (i.e., a file, an application, or a database) either on the same system or on another system in a network. For success, the security levels of resource and subject must necessarily be the same in order to permit two-way communication according to the applicable access control security mechanism.
In multilevel trusted systems of the prior art as shown diagrammatically in FIG. 1, access to a resource or a service (object) by a process (subject) running at a particular sensitivity level is restricted to objects in memory having the same sensitivity level as the requesting process, as mandated by the access control mechanism. Consequently, two-way communication is precluded where the subject and the object have different sensitivity labels. Once a requested application, service or resource is instantiated in computer memory, a sensitivity label is associated with the process, service, or resource, and access by other processes running applications which also desire to access the resource, but which have a different clearance, is denied.
Another technical problem arises, however, in the prior art system of FIG. 2 described below when a port on a receiving system remains open for a substantial period of time at a particular security classification, clearance level, or sensitivity label. This prevents users and systems having different clearances from accessing the same resource, when a port has already been opened and remains open under a different clearance. Since a port number is unique to a resource or third party system being accessed, the unavailability of that particular port effectively precludes other users or systems with different clearances from accessing the third party resource. This effectively renders the resource unavailable to applications operating at different security levels.
Accordingly, there is a need for systems and methods providing access to resources operating at multiple security levels. Such systems and methods must be transparent to processes having different security classification levels.
An additional problem with current multilevel trusted systems is security violations from interlevel signal channel communications between associated system ports or covert channels. A covert channel is an information path that is not ordinarily used for communication in a system and thus is not protected by the system's normal security mechanisms. Thus, there is a secret way to communicate information to another person or program in violation of security protocol. The covert channels convey information by changes in data attributes or by changes in system performance or timing. By monitoring attribute changes for stored data and system timing, confidential information may be inferred. Data characteristics such as message length, frequency, and destination may be protected from analysis of data traffic by an intruder or from a user having a lower classification on the same system, with techniques such as covert channel analysis, padding messages to disguise their actual characteristics, or by sending noise or spurious messages. However, such measures do not guarantee data security. Accordingly, there is a need for systems and methods to prevent data access in violation of security protocol to ports having a dominant classification in a multi-security level computer system. Such systems and methods must secure access to the dominant port to protect attribute information from compromise to an intruder.
Another technical problem relates to the transmission of security attributes, which are currently transmitted in binary form and not as part of the data stream to which the security attributes relate. This binary transmission of the security attributes is cumbersome and non-integrated with the transmission of the associated data, creating additional work and specialized code to synchronize and associate the data transmitted with the separately provided security data. Accordingly, it is desirable to integrate the transmission of data and the related security attributes, to reduce programming costs and the likelihood of errors.